Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
1200s -
max time network
1203s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
14/08/2024, 00:48
Static task
static1
Behavioral task
behavioral1
Sample
UPDATE-HSYEYDBB.html.lnk
Resource
win10v2004-20240802-en
Behavioral task
behavioral2
Sample
UPDATE-HSYEYDBB.html.lnk
Resource
win11-20240802-en
General
-
Target
UPDATE-HSYEYDBB.html.lnk
-
Size
1KB
-
MD5
ae64124a57d7f5de780f85b7456d90a2
-
SHA1
ab9a153c0da841ed0cbdd70664a48ba0959eb8a9
-
SHA256
119f0a88b3366805f6a592742b7ced190010eb98c81f32e251bd42d968b68471
-
SHA512
0e9ad80748d97e55708bf4939bbe0179d558d643679065c101fa52f861e4d4527cc7bd86795388892f5fd466d2ac959e11f0b89f3c84c673a86d3a62e35ae910
Malware Config
Extracted
latrodectus
https://mazdakrichest.com/live/
https://riverhasus.com/live/
Signatures
-
Latrodectus loader
Latrodectus is a loader written in C++.
-
Detect larodectus Loader variant 1 3 IoCs
resource yara_rule behavioral2/memory/3320-1-0x00000229FE780000-0x00000229FE793000-memory.dmp family_latrodectus_v1 behavioral2/memory/4448-11-0x000001577F2B0000-0x000001577F2C3000-memory.dmp family_latrodectus_v1 behavioral2/memory/4448-16-0x000001577F2B0000-0x000001577F2C3000-memory.dmp family_latrodectus_v1 -
Blocklisted process makes network request 64 IoCs
flow pid Process 11 4448 rundll32.exe 12 4448 rundll32.exe 13 4448 rundll32.exe 14 4448 rundll32.exe 15 4448 rundll32.exe 16 4448 rundll32.exe 17 4448 rundll32.exe 18 4448 rundll32.exe 19 4448 rundll32.exe 20 4448 rundll32.exe 21 4448 rundll32.exe 22 4448 rundll32.exe 23 4448 rundll32.exe 24 4448 rundll32.exe 25 4448 rundll32.exe 26 4448 rundll32.exe 27 4448 rundll32.exe 28 4448 rundll32.exe 29 4448 rundll32.exe 30 4448 rundll32.exe 31 4448 rundll32.exe 32 4448 rundll32.exe 33 4448 rundll32.exe 34 4448 rundll32.exe 35 4448 rundll32.exe 36 4448 rundll32.exe 37 4448 rundll32.exe 38 4448 rundll32.exe 39 4448 rundll32.exe 40 4448 rundll32.exe 41 4448 rundll32.exe 42 4448 rundll32.exe 43 4448 rundll32.exe 44 4448 rundll32.exe 45 4448 rundll32.exe 46 4448 rundll32.exe 47 4448 rundll32.exe 48 4448 rundll32.exe 49 4448 rundll32.exe 50 4448 rundll32.exe 51 4448 rundll32.exe 52 4448 rundll32.exe 53 4448 rundll32.exe 54 4448 rundll32.exe 55 4448 rundll32.exe 56 4448 rundll32.exe 57 4448 rundll32.exe 58 4448 rundll32.exe 59 4448 rundll32.exe 60 4448 rundll32.exe 61 4448 rundll32.exe 62 4448 rundll32.exe 63 4448 rundll32.exe 64 4448 rundll32.exe 65 4448 rundll32.exe 66 4448 rundll32.exe 67 4448 rundll32.exe 68 4448 rundll32.exe 69 4448 rundll32.exe 70 4448 rundll32.exe 71 4448 rundll32.exe 72 4448 rundll32.exe 73 4448 rundll32.exe 74 4448 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 4448 rundll32.exe -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3320 rundll32.exe 3320 rundll32.exe 3320 rundll32.exe 3320 rundll32.exe 4448 rundll32.exe 4448 rundll32.exe 4448 rundll32.exe 4448 rundll32.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 4800 wrote to memory of 3320 4800 cmd.exe 79 PID 4800 wrote to memory of 3320 4800 cmd.exe 79 PID 3320 wrote to memory of 4448 3320 rundll32.exe 80 PID 3320 wrote to memory of 4448 3320 rundll32.exe 80 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\UPDATE-HSYEYDBB.html.lnk1⤵
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" version1.dll, scab2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3320 -
C:\Windows\system32\rundll32.exerundll32.exe "C:\Users\Admin\AppData\Roaming\Custom_update\Update_fbe146ab.dll", scab3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4448
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5f834dfc1861cd6361f34496c3bbafe66
SHA1a983e82d009901310c8a3255c4b4e3a02d556fa7
SHA256e99f3517a36a9f7a55335699cfb4d84d08b042d47146119156f7f3bab580b4d7
SHA512088a6170c948ddb2c2b0cf2431ae61688201ef5bc3f1af217a58bf18b26dd9e0ab7ee082f822e736d0467f62e33bf71b806127eb998bed8e739c1e441ac05e00